Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751547AbdISNyl (ORCPT <rfc822;w@1wt.eu>);
        Tue, 19 Sep 2017 09:54:41 -0400
Received: from mail-cys01nam02hn0210.outbound.protection.outlook.com ([104.47.37.210]:60069
        "EHLO NAM02-CY1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1751263AbdISNy2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 Sep 2017 09:54:28 -0400
Authentication-Results: spf=none (sender IP is )
 smtp.mailfrom=meng.xu@gatech.edu; 
Subject: Re: [PATCH] ALSA: asihpi: fix a potential double-fetch bug when
 copying puhm
To: Takashi Iwai <tiwai@suse.de>, Meng Xu <mengxu.gatech@gmail.com>
Cc: alsa-devel@alsa-project.org, perex@perex.cz, vlad@tsyrklevich.net,
        linux-kernel@vger.kernel.org, sanidhya@gatech.edu, taesoo@gatech.edu
References: <1505798516-22482-1-git-send-email-mengxu.gatech@gmail.com>
 <s5h377jgncb.wl-tiwai@suse.de>
From: Meng Xu <meng.xu@gatech.edu>
Message-ID: <8b2e7d4a-6b77-ffed-176f-257219b9ecb5@gatech.edu>
Date: Tue, 19 Sep 2017 09:54:22 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <s5h377jgncb.wl-tiwai@suse.de>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Originating-IP: [143.215.130.72]
X-ClientProxiedBy: BN6PR12CA0027.namprd12.prod.outlook.com (10.160.47.13) To
 BLUPR0701MB1729.namprd07.prod.outlook.com (10.163.85.143)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: e004d725-59ce-48c9-f50e-08d4ff65f0cb
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:BLUPR0701MB1729;
X-Microsoft-Exchange-Diagnostics: 1;BLUPR0701MB1729;3:Sm7bY6Fteua7EsfqB14k7DmiJBKyaGabPb/UWoD5prl/CdL1I7V46XMixrMv45HnliAD0U5ERWSPpZiS0qD3DF7zWAJFzVuTG+s3oi+NgG730Lbz8wSFATJC4rfB4jdrkBAZ20G3gN2tsQThEnzDpHTYHmFrma1DXTt26PemY2VZZYmjWKVSdAJqe/Mf8YYXSFLOMS2NgKA0Y00TXituWWF9j+NYggyMn1iGnuZac790soVcoVwtZfosrBifIcRd;25:4x+Uk3o/Hi2zqpJdUwyrk0fEsU65NuuYhCAhUZ2CO0pJ521AmdR+EVhzQa1s0YI6ouukrBNRYLD4eun2eAY/r5+eUwMPn5BxVmzMCZ99RzRZI88t/KlA2z5g1HGjPBlSou6PhzNaL9/UGrqHbmrlPUWi83BTLUzA17i9CiU5fAiGOXfj50nYkVeQTLmrPjpFdrlAR/KYsJDJGRKfwlM+znhI1U0XKUFFjeC9NZVDu3LT0GwW2D210qlx5apflfTYkluinm7r6+YEMntUp5dyQCxZrCZaZkPjGE0644WdsJG/FJ3brpDi6C8/EpfrOjcD16WNkryS7xdi29hOGzUrpg==;31:2VkCa913H1Lq3880ZsNTqwHS2hKZxE8l/Xx8crv7DXh+y61L4Nkkw9puaDqBRIzqmtn27hM20A9B7G9DgdXIbl6txJ8Z1oQWNUUkyyW2tn7zI4hoAAiH9WqBYcwXkqO+43bisL4D3hnjtkeXImgAmX2AH7D0egURTtK6/E05en9NtZLM8NdRspKMiz4mtFf8fn04cg7c5ZgCd4aH9t2877a9B+lBSOP3meUnGtoBT6c=
X-MS-TrafficTypeDiagnostic: BLUPR0701MB1729:
X-Microsoft-Exchange-Diagnostics: 1;BLUPR0701MB1729;20:aiesdd6D9nvaPFblYkN0Gz24M/kE1GzU4U33+J66rLtQDdLdO3AVo9zXzoXpKkfnzrKd41fCdRX20Y31CMGsU2JcDw5t5EFPn5xdYrRf3GioOEdqQbzrMql7n4MWV8iPD5j6RMAb9t8jEftQiJJnJJZPHbAhZZ1+13sllRyIDrKtGIt3y9PBud3ApSpcaHs4SBnx8xs9j+6MlPQuf+1UeRqa0mWN8VIPM1DZ3M0tJoQLrJNrX0kZOR9oChJ7PqHOxYb8BAe3OpVuMNnD5bSM0tm/pJgXRRX5FUTt/BXeqzZact7teHGxhAOM+E9HhrGjfpn2DQBNGU+2sIykYEt4yw==;4:bFC4UmZXVLGvajwVLfZzvimlma4qELPMzNZHparoLhqcff6Ksz40YU2kpY2iZaWJDqPSQ25kDtZfqa7QoK+yCGnLZ9bQ1KSX8nwdaUU/5WO/U4lk68QG6MBEq8yf5Iy8bipe09m4gjez+LnoVeyPV68Du+vi8Xl2p3pnUxoBBVoAgXW8u9Ux8+sAk7KUuhwqpV3K+J+Vl5RNFephJKjuy6hRah4ASL66FrcfYoVoiDVhUSSd5Hdpjkpo1Zo9Bnj0vpZ6mNt248BRf+hOlpKMG7eDhUuPPRWbyrAk74YQP9U=
X-Exchange-Antispam-Report-Test: UriScan:(192374486261705);
X-Microsoft-Antispam-PRVS: <BLUPR0701MB1729EBD0802FFBBB03ACC4DB9E600@BLUPR0701MB1729.namprd07.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(10201501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(6041248)(20161123555025)(20161123560025)(20161123564025)(20161123562025)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BLUPR0701MB1729;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BLUPR0701MB1729;
X-Forefront-PRVS: 04359FAD81
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(6049001)(6009001)(376002)(346002)(377454003)(51914003)(24454002)(189002)(199003)(81166006)(90366009)(66066001)(8936002)(5660300001)(65806001)(65956001)(107886003)(31686004)(106356001)(7736002)(305945005)(25786009)(110136005)(88552002)(966005)(31696002)(6666003)(6486002)(86362001)(39060400002)(6246003)(68736007)(65826007)(229853002)(83506001)(49976008)(2906002)(81156014)(47776003)(8676002)(2950100002)(478600001)(786003)(23676002)(189998001)(430100004)(36756003)(16526017)(3846002)(316002)(54356999)(50986999)(6116002)(6306002)(230700001)(76176999)(53936002)(64126003)(97736004)(53546010)(105586002)(33646002)(50466002)(101416001)(4326008)(58126008)(75432002)(16576012)(3940600001)(6606295002);DIR:OUT;SFP:1501;SCL:1;SRVR:BLUPR0701MB1729;H:[143.215.130.72];FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTFVQUjA3MDFNQjE3Mjk7MjM6UndqcG5jYWFESlJ0REp4TlN4OVJtV0wx?=
 =?utf-8?B?YnIwYW9YVDdsN3p1a004cmtYdWZuZ1MrZW5Db0sxR0t2Y1RUOEd2WjFYVVIw?=
 =?utf-8?B?M2pQUXBqV0tvcENnY1JRYS9UUStQUVlsV1VVUnpCbE1RVmFVWWRGcFhFWXdz?=
 =?utf-8?B?a3dLNEZ2R3MrMzJpNU5SbCsxVGpGMmFUNFp4endGTktHcGtDalFIU3Q3NjNQ?=
 =?utf-8?B?dW4zS1lzeko1Q2xJcE1nK3U5MG9oK1pyL2svbmJ3bHhrbFV0clpQSklvOXBN?=
 =?utf-8?B?M1owU0dkR0ZsMlhzbVlSVFlxUzRBTUlEaTduWDVJM3M4U0ZBQk1UVE9UNjJ1?=
 =?utf-8?B?RDNuY3RJVUhuK21CWXZyRUd2bGV4aldtcEJ3Vkk4Mjc4MTJLYnJXZlVZSUNq?=
 =?utf-8?B?dEpuMWJqOEhqRGJBd3B5Vk5FRGx1Wm1SdzREUWtYYnVhY0RoZ3lKcjBVTEty?=
 =?utf-8?B?UHNmZGJ2cCtpOUp0VE5TbUV6TllhQys4bmtQczhUTkkvcjVZSmNuUGVBbXVr?=
 =?utf-8?B?akpVdzQxNjBtdGM3WDJTM0prazR4aHRZS2phNjVZMy9PZ1R1N1M2N21XMnpQ?=
 =?utf-8?B?dTNMS3dKa1JxaSs2LzhwdFQ1eDBBVVgySWl1cDBSSWVybm95NmtWME51U2Rm?=
 =?utf-8?B?T1ZvZkpiQUd4Q2c2a3d4MWhPNDBnd0Jsa0s5aEZORUYwNE5lTnNkMGE0RXFV?=
 =?utf-8?B?eFZlWm5UdjgvQi8rOWFJNjQ5RzZNVDVPYVZvd0l5UE5BTHd0QnQ3Y1lnZktx?=
 =?utf-8?B?VVYzdFFPYU9rZE5FMUs2V3FlMXRVVHh2Y1ZEb1lnSEZaZ2J1M1lSRWZxTFcw?=
 =?utf-8?B?QkRSenFQTjlHeXdDQnNtTysveTVNMThFbUVyU0RHVFd0ZW5DK1BwREo4Wnd5?=
 =?utf-8?B?ZUZwaVNYS1VkaVZBaXJpWDU1T2p4d0NDMGM3MTZ2MnpMY3Z1Rnd3VnpDQ3FO?=
 =?utf-8?B?SHl6R3ZQSkVUbExrMjNvWllrdXR0ODlTYzZlSUJQcWwxcmtiV2dLWUtRRE54?=
 =?utf-8?B?UDMwRVFnZ3ZTdVRMZUdYNXJoY1U4d3J5Y3FGMCtybVlybXFZam9PUVgrM05S?=
 =?utf-8?B?QnVlUndEZ0JtblhuSEdQMzBoVUh5a0dzZHFLODk1UTI0RjdUdjVnRmJkSDVt?=
 =?utf-8?B?STB0cStFdWpRSEI1aTBNcXYwdlBleUVZOVZJdUxWVFJkSllRekpEMXA2b28v?=
 =?utf-8?B?OXVYKzJ0aDcwOHV6QkxlSjVMVnlvd1ZEbjBjbEpENkxkLzJlcDE1djcrY201?=
 =?utf-8?B?elg2a1RsNFRwVDVGNk9MWXhWamp6OEdyVmQ4ekR0bWZUZWtpRUxvektyY1NF?=
 =?utf-8?B?Mk5BVmtHbVFZbGEvalJKZVAybEhsOEpZb0tGRWdkY1JTMnBJS1pSU1hNQ2Zt?=
 =?utf-8?B?SHhhOXBPK0RvY0Y3TlJjeHdUQUZvOVJnUXlMUDI4a2kzcCtpRytyQ0MvaGtN?=
 =?utf-8?B?TnBGeUVLQk4rbzM1MzMxazd3Y0RyMU5NMkNOTmxVVXRVZURzUmFqb2NlQUVC?=
 =?utf-8?B?VGVyS21wVkJnQjQ4aEk3bjQwOW53bGhjOU5TVEVGZk9xVnlOYUFLbjU2a3FT?=
 =?utf-8?B?YWNVcUVXcDl6U1VaR0xTR04zZnBBdmFoZVRFQlFQQ0lVbkJtMW9FSjExcUcw?=
 =?utf-8?B?cjJQeitoODAzZ2ZINGs5RVVwQ1Z5SUZyeHBrdFU0YTBENXVidXo5eDhGTFNF?=
 =?utf-8?B?d2JoNmdyeEF2VXFscnpxQnFJQStVSXlqbnV2UDkxaEYrcHdrVWFlMTA0QmJ4?=
 =?utf-8?B?bS9qUFRLWndTU2E0Z3hZbnpSVVJSdytsY0JvcElET0pZeUVuTk9JMFozc2RI?=
 =?utf-8?B?bW91eDBxRjR0SWFvQWpDdFI1Qm5hNHFVcVo2NGZ4YUtjNUhYd25XUC9BSHJZ?=
 =?utf-8?B?ZWdXOU1QZTRtb1Z0UW4vUGZGa2RsMXBRampPZE1telZ2K0syOExDKzlRVFU2?=
 =?utf-8?B?NE4rbVNtRHAwVUJiSjBkRGhPaHJ4ZXU3QU05Y1VUWXpkZTBjVFJQSFJIWWdz?=
 =?utf-8?B?YW51VEk4aERNOEliUkp5MXp2czNCbXREM2FlaytxN1FuaHR6ZFpzcWxtdm5x?=
 =?utf-8?B?NHJ3R1dKZEFCcUJxNmcyUUwvTXNnV05QRFFDc28wWndEWUFxRDNBRVBMWUdw?=
 =?utf-8?Q?zR8HBCLqVcuBTF0B1HbzhwWWVxVdi6YWW37zrFhSYRpiBl?=
X-Microsoft-Exchange-Diagnostics: 1;BLUPR0701MB1729;6:sBCVq8CZHPZAUqNzqST7KLAm5mUqSQo9UABlQIkhOB2/uc4mqNj84yF8OWLc69X1VO/4mGTx06JY0Cs3C2fGMQSDQvgpUqqONw3sE5yol4G7MSl26OpkhetASE+7KZ/HCt2tHSIJ/0WRLJtlWNJ2kTDFQbLLbX45aZWSyQu57lXkksMHSP8WvA2AuKDKbKwLVc2Q8bPXNSSMDpcrC9GM9xihEfh5QG/1s9/GQYev4YZQdw4BvYQoFm6iBWDLwwYyT3kd92ZaAOZgiO5HALBA+KhNsV1msnKxP8eUUNXDj/NBUEkXId+2Em5HJJ06/py2SVORaNJy+798Z7hq6FdN6Q==;5:xR1im/hXS+ZX2RwYIl8A3XaB2RUQv5uaYyctiT+ZU3FJdaEnszrUyoWQkNKYxPEyM3ZqZJEojeBFfBjwwSLehvQtPVfycZ8HySLlBeOnEK1zAhLVsII4fab+P8MUAARKoLuAba/hFU7kqkJooluA7A==;24:JvWce/zcqfPhnHdVm0PF1a0rV06J1t7Qaei/GU//4dfn8ApMLmjWlH1BY5Mm2vwDU19bezrocpf6z4nAv4l6BAZFSOzsFjaKM1pWI8XPV4w=;7:hPWNHyDxrKBUC/T7DxCpl6JAS05Om2tynA8w8getMUi4C/cKg5ptccI7P/7yQtuOGtlnY+VUglKU60/jasuVsTZrAo3K0j4P9xiyiDkq+eOvwP2jm29uvlVzg+sQ9y6dTQE/W7PD/Sjb8T2KjAL0yAGQcz8r4i6li8/DZJedDfUN2OHiYLqs8zeN3kT37JxqcRFHFuT21Rn7LQ8flABxSe3n4sa0bdpZHSIIA7bBAdI=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: gatech.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Sep 2017 13:54:25.9166 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 482198bb-ae7b-4b25-8b7a-6d7f32faa083
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR0701MB1729
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4126
Lines: 111

Hi Takashi,

Thanks for the reply. In my opinion, many security issues
are in fact unhandled corner cases and this could be one.

In the first fetch, get_user(hm->h.size, (u16 __user *)puhm),
only 2 bytes from puhm are copied in and later it is ensured
that hm->h.size (which is also hm->m0.size given hm is a union)
is no larger than sizeof(*hm). However, this relation is broken
after the second fetch, copy_from_user(hm, puhm, hm->h.size).

As a concrete example, a user could put 0x000A when the first
fetch happens which make hm->h.size <= sizeof(*hm) and later
races to change it to 0xFFFF in the second fetch. What makes it
even worse is this call: hpi_send_recv_f(&hm->m0, &hr->r0, file),
which sends &hm->m0 to a lot of destinations. If any of the
downstream functions assumes that hm->m0.size <= sizeof(*hm)
which is actually not, an exploit can be constructed.

In fact, similar issues have caused vulnerabilities before as in
https://bugzilla.kernel.org/show_bug.cgi?id=116651
https://bugzilla.kernel.org/show_bug.cgi?id=120131,
and more recently the fix in sched/perf
https://marc.info/?l=linux-kernel&m=150401225812533&w=2

Feel free to let us know your opinion.

Best Regards,
Meng

On 09/19/2017 03:27 AM, Takashi Iwai wrote:
> On Tue, 19 Sep 2017 07:21:56 +0200,
> Meng Xu wrote:
>> The hm->h.size is intended to hold the actual size of the hm struct
>> that is copied from userspace and should always be <= sizeof(*hm).
>>
>> However, after copy_from_user(hm, puhm, hm->h.size), since userspace
>> process has full control over the memory region pointed by puhm, it is
>> possible that the value of hm->h.size is different from what is fetched-in
>> previously (get_user(hm->h.size, (u16 __user *)puhm)). In other words,
>> hm->h.size is overriden and the relation between hm->h.size and the hm
>> struct is broken.
>>
>> This patch proposes to use a seperate variable, msg_size, to hold
>> the value of the first fetch and override hm->h.size to msg_size
>> after the second fetch to maintain the relation.
>>
>> Signed-off-by: Meng Xu <mengxu.gatech@gmail.com>
> But when user-space already changes the data, the data being read is
> more or less broken in anyway no matter whether we keep the original
> h.size or not, because it doesn't match with h.size, no?
>
> I'd take a fix patch if it would fix some out-of-bounds access or such
> severe issues.  But this sounds like covering a corner-case that is
> broken in anyway.  Or am I missing something else?
>
>
> thanks,
>
> Takashi
>
>> ---
>>   sound/pci/asihpi/hpioctl.c | 12 ++++++++----
>>   1 file changed, 8 insertions(+), 4 deletions(-)
>>
>> diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
>> index 7e3aa50..5badd08 100644
>> --- a/sound/pci/asihpi/hpioctl.c
>> +++ b/sound/pci/asihpi/hpioctl.c
>> @@ -103,6 +103,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
>>   	void __user *puhr;
>>   	union hpi_message_buffer_v1 *hm;
>>   	union hpi_response_buffer_v1 *hr;
>> +	u16 msg_size;
>>   	u16 res_max_size;
>>   	u32 uncopied_bytes;
>>   	int err = 0;
>> @@ -127,22 +128,25 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
>>   	}
>>   
>>   	/* Now read the message size and data from user space.  */
>> -	if (get_user(hm->h.size, (u16 __user *)puhm)) {
>> +	if (get_user(msg_size, (u16 __user *)puhm)) {
>>   		err = -EFAULT;
>>   		goto out;
>>   	}
>> -	if (hm->h.size > sizeof(*hm))
>> -		hm->h.size = sizeof(*hm);
>> +	if (msg_size > sizeof(*hm))
>> +		msg_size = sizeof(*hm);
>>   
>>   	/* printk(KERN_INFO "message size %d\n", hm->h.wSize); */
>>   
>> -	uncopied_bytes = copy_from_user(hm, puhm, hm->h.size);
>> +	uncopied_bytes = copy_from_user(hm, puhm, msg_size);
>>   	if (uncopied_bytes) {
>>   		HPI_DEBUG_LOG(ERROR, "uncopied bytes %d\n", uncopied_bytes);
>>   		err = -EFAULT;
>>   		goto out;
>>   	}
>>   
>> +	/* Override h.size in case it is changed between two userspace fetches */
>> +	hm->h.size = msg_size;
>> +
>>   	if (get_user(res_max_size, (u16 __user *)puhr)) {
>>   		err = -EFAULT;
>>   		goto out;
>> -- 
>> 2.7.4
>>
>>